From nobody Tue Oct 17 23:17:47 2023 X-Original-To: ports@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4S98zX69pKz4x9bN for ; Tue, 17 Oct 2023 23:18:16 +0000 (UTC) (envelope-from ports@lordcow.org) Received: from mail.lordcow.org (lordcow.org [IPv6:2c0f:fb18:402:5::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature ECDSA (P-256) client-digest SHA256) (Client CN "devaux.za.net", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4S98zV4Xdbz4GcT; Tue, 17 Oct 2023 23:18:14 +0000 (UTC) (envelope-from ports@lordcow.org) Authentication-Results: mx1.freebsd.org; dkim=none; spf=pass (mx1.freebsd.org: domain of ports@lordcow.org designates 2c0f:fb18:402:5::2 as permitted sender) smtp.mailfrom=ports@lordcow.org; dmarc=none Received: from lordcow.org (localhost [127.0.0.1]) by mail.lordcow.org (8.17.2/8.17.2) with ESMTPS id 39HNHrk6020393 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT); Wed, 18 Oct 2023 01:17:54 +0200 (SAST) (envelope-from lordcow@lordcow.org) X-Authentication-Warning: lordcow.org: Host localhost [127.0.0.1] claimed to be lordcow.org Received: (from lordcow@localhost) by lordcow.org (8.17.2/8.17.2/Submit) id 39HNHloP020057; Wed, 18 Oct 2023 01:17:47 +0200 (SAST) (envelope-from lordcow) Date: Wed, 18 Oct 2023 01:17:47 +0200 From: Gareth de Vaux To: DutchDaemon - FreeBSD Forums Administrator Cc: ports@freebsd.org Subject: Re: HEADS-UP: security/openssl switching to 3.0 branch Message-ID: References: <92667a5ea6afeab7ce9c55528af34f49@freebsd.org> <48b835a442707d7b8db4f4b270c12897@freebsd.org> <3aa783ad-4318-4c9a-bb1a-1065ce3a91cf@FreeBSD.org> <8fa8e262-26ed-4094-87d1-8379d7a61e19@FreeBSD.org> <4f470a05-8085-4157-9f1e-ac6ca7fe9aaa@FreeBSD.org> List-Id: Porting software to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-ports List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-ports@freebsd.org X-BeenThere: freebsd-ports@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED autolearn=ham autolearn_force=no version=4.0.0 X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-14) on lordcow.org X-Spamd-Bar: --- X-Spamd-Result: default: False [-3.29 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.99)[-0.991]; R_SPF_ALLOW(-0.20)[+ip6:2c0f:fb18:402:5::2]; MIME_GOOD(-0.10)[text/plain]; RCPT_COUNT_TWO(0.00)[2]; MLMMJ_DEST(0.00)[ports@freebsd.org]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; R_DKIM_NA(0.00)[]; ASN(0.00)[asn:37199, ipnet:2c0f:fb18::/32, country:ZA]; RCVD_TLS_LAST(0.00)[]; DMARC_NA(0.00)[lordcow.org]; HAS_XAW(0.00)[]; ARC_NA(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; TO_DN_SOME(0.00)[]; MID_RHS_MATCH_FROM(0.00)[] X-Rspamd-Queue-Id: 4S98zV4Xdbz4GcT On Mon 2023-10-16 (17:04), DutchDaemon - FreeBSD Forums Administrator wrote: > On 16/10/2023 13:14, DutchDaemon - FreeBSD Forums Administrator wrote: > > On 16/10/2023 13:07, Guido Falsi wrote: > > > On 16/10/23 13:03, DutchDaemon - FreeBSD Forums Administrator wrote: > > > > On 16/10/2023 12:57, Guido Falsi wrote: > > > > > On 16/10/23 11:19, DutchDaemon - FreeBSD Forums Administrator wrote: > > > > > > I found this one after a full rebuild in Poudriere: > > > > > > > > > > > > ld-elf.so.1: Shared object "libssl.so.11" not found, > > > > > > required by "transmission-daemon" > > > > > > > > > > > > > > > > I guess you will need to force rebuild/reinstall all > > > > > packages depending on openssl. > > > > > > > > > > (if I understand correctly you're using poudriere-bulk(8) to > > > > > build yout binary packages repo) > > > > > > > > > > Actually poudriere should have been able to rebuild them > > > > > itself, unless you're using the -S option, which could have > > > > > skipped some rebuilds that in this case are needed. > > > > > > > > > > If you have a broken repo (due to -S or some other unknown > > > > > reason) you will need to rebuild it from scratch (-c option) > > > > > to get a pristine and hopefully working one. > > > > > > > > > This is Poudriere, everything was rebuilt from the ground up. > > > > > > > > > > I see, but you did not report, did you "pkg upgrade -f" everything > > > depending on openssl? I'm not sure pkg will figure it out by itself > > > that it needs to do that in your case. > > > > > > It looks like you still have old binaries on your system. If > > > poudriere did end the build them all successfully it would be > > > strange it would have generated so many non working binaries without > > > experiencing failures during the build. > > > > > > > For this specific jail, 496/496 packages were built from scratch with 0 > > errors, 0 skips. > > > > The only thing I can do is pkg delete -a- f -y && pkg install > > $(list-of-node-ports) but that seems excessive. A pkg upgrade -fy on all > > ports should be enough. > > > > This actually helped. So for old, deep-down remnants of OpenSSL 1.1. to > disappear, a wholesale pkg delete -a -f -y and a reinstall of all node > packages (get them through pkg prime-origins) is advisable. portupgrade -frR openssl-3.0.11,1 did the job for me (granted, not everyone's using portupgrade). Also, there should be an entry in ports/UPDATING about this, it's a breaking change.